Commit fb4f7a7b authored by Francois Marier's avatar Francois Marier
Browse files

Escape the name of an institution in a query



This is not exploitable because validation of the shortname field
prevents admins from adding quotes to an institution's name.
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent 2e2f34ab
......@@ -362,7 +362,7 @@ class Institution {
// If the user is being authed by the institution they are
// being removed from, change them to internal auth
$authinstances = get_records_select_assoc('auth_instance', "
institution IN ('mahara','" . $this->name . "')");
institution IN ('mahara', " . db_quote($this->name) . ')');
$oldauth = $user->authinstance;
if (isset($authinstances[$oldauth]) && $authinstances[$oldauth]->institution == $this->name) {
foreach ($authinstances as $ai) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment